Towards a formal model of accountability

We propose a focus on accountability as a mechanism for ensuring security in information systems. To that end, we present a formal definition of it accountability in information systems. Our definition is more general and potentially more widely applicable than the accountability notions that have previously appeared in the security literature. In particular, we treat in a unified manner scenarios in which accountability is enforced automatically and those in which enforcement must be mediated by an authority; similarly, our formalism includes scenarios in which the parties who are held accountable can remain anonymous and those in which they must be identified by the authorities to whom they are accountable. Essential elements of our formalism include event traces and it utility functions and the use of these to define punishment and related notions.